• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

Help with blocking Rule!

Scheduled Pinned Locked Moved OpenVPN
10 Posts 3 Posters 2.0k Views
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • N
    nexys
    last edited by Aug 30, 2013, 5:36 AM

    Hi, I have this networks

    LAN -> 10.0.10.0/24
    DEVELOPERS_VPN -> 10.0.1.0/24

    I just want to allow access to one IP but I tried any way to block the access to an IP or a subnet without any success.

    My connection to the VPN is fine.

    Here is a proof of the problem, I try to block the IP 10.0.10.3 but I can still ping it and also I can loggin with RDP(it's a windows machine) and as you can see I setted "any" in the proto property.

    I've been doing something wrong?

    1 Reply Last reply Reply Quote 0
    • M
      marvosa
      last edited by Aug 30, 2013, 8:03 AM

      You have your rule set to pass instead of block.  Edit your rule and set "Action" to Block.

      1 Reply Last reply Reply Quote 0
      • N
        nexys
        last edited by Aug 30, 2013, 3:06 PM Aug 30, 2013, 3:03 PM

        @marvosa:

        You have your rule set to pass instead of block.  Edit your rule and set "Action" to Block.

        I did tried that way and it doesn't work, the rule on the screencapture should work to block traffic only for 10.0.10.3 (look at the negation operator behind the IP address) and it also doesn't work.

        Any ideas?

        1 Reply Last reply Reply Quote 0
        • M
          marvosa
          last edited by Aug 30, 2013, 3:49 PM

          My guess is you probably missed a step.  Because right now your rule is a pass rule.

          Go back and edit that rule again, change pass to block, and hit save.  At this point, it shows you the rule you created and you should see that the icon that once was a green triangle (pass) turned into a red "x" (block).  After that, you still have to hit "Apply Changes" or the rule changes never get implemented.

          1 Reply Last reply Reply Quote 0
          • N
            nexys
            last edited by Aug 30, 2013, 8:28 PM Aug 30, 2013, 8:27 PM

            @marvosa:

            My guess is you probably missed a step.  Because right now your rule is a pass rule.

            Go back and edit that rule again, change pass to block, and hit save.  At this point, it shows you the rule you created and you should see that the icon that once was a green triangle (pass) turned into a red "x" (block).  After that, you still have to hit "Apply Changes" or the rule changes never get implemented.

            Like I told you, I tried that way and the way I'm doing should work also.

            Look at this

            If there is no "allow any any" rule, I wont be able to connect to internet as usual.

            I also tested it without the "allow any any" rule and it doesn't block traffic to IP 10.0.10.3

            Any other idea?

            1 Reply Last reply Reply Quote 0
            • M
              marvosa
              last edited by Aug 31, 2013, 5:02 AM

              Ok, I tested on my end, the only difference is I used "any" for a source.  I experienced the same behavior, but I believe I now know what the issue is.  The rule looks ok, but it's still allowing communication because the states still exist for everything that used to connect to that IP.  In my own testing, as soon as I removed the state from the IP I wanted to block, the constant ping I had going stopped immediately.

              So, go to Diagnostics -> States then filter by 10.0.10.3 and remove all states associated with that IP or you can go to the "Reset States" tab and remove all states at once.

              This should solve your problem.

              1 Reply Last reply Reply Quote 0
              • N
                nexys
                last edited by Aug 31, 2013, 7:35 AM Aug 31, 2013, 7:33 AM

                @marvosa:

                Ok, I tested on my end, the only difference is I used "any" for a source.  I experienced the same behavior, but I believe I now know what the issue is.  The rule looks ok, but it's still allowing communication because the states still exist for everything that used to connect to that IP.  In my own testing, as soon as I removed the state from the IP I wanted to block, the constant ping I had going stopped immediately.

                So, go to Diagnostics -> States then filter by 10.0.10.3 and remove all states associated with that IP or you can go to the "Reset States" tab and remove all states at once.

                This should solve your problem.

                It worked but in a weird way. I can still ping 10.0.10.3 but then I changed the unallowed IP to 10.0.10.8 and applied, then I couldn't ping 10.0.10.8, worked as expected. But then I deleted the block rule for 10.0.10.8 and applied but I couldn't still ping 10.0.10.8.

                Also tried restarting OpenVPN service, also reset the states and nothing.

                A bug maybe?

                1 Reply Last reply Reply Quote 0
                • D
                  doktornotor Banned
                  last edited by Aug 31, 2013, 7:35 AM

                  Reboot

                  1 Reply Last reply Reply Quote 0
                  • N
                    nexys
                    last edited by Aug 31, 2013, 7:58 AM Aug 31, 2013, 7:55 AM

                    @doktornotor:

                    Reboot

                    I can't reboot, I have some services running with connections.

                    I think the rules take some time to make effect.

                    Anyone has been through this?

                    1 Reply Last reply Reply Quote 0
                    • D
                      doktornotor Banned
                      last edited by Aug 31, 2013, 9:16 AM

                      Well, if you cannot reboot, then wait.

                      1 Reply Last reply Reply Quote 0
                      10 out of 10
                      • First post
                        10/10
                        Last post
                      Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.
                        This community forum collects and processes your personal information.
                        consent.not_received